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DETAILED ACTION 

1 . Claims 1-37 and 39 are pending. 

Response to Arguments 

2. Applicant's arguments filed 06-27-2006 have been fully considered but they are 
not persuasive. 

Applicant contends, "Vaidya and Perelson, even when combined, fail to disclose, 
expressly or inherently generating, for each of the one or more signature definitions, an 
inspector instance based on the data file and executing, for each of the one or more 
signature definitions, the generated inspector instance to detect network traffic matching 
the signature definition." Examiner respectfully disagrees. Vaidya teaches an attack 
signature profile generator generating attack signatures (see abstract "An attack 
signature profile generator is utilized to generate additional attack signature profiles.."), 
Vaidya furthermore teaches the attack signature profile includes a set of instruction 
(inspector instance/ executable code) which are executed to detect network intrusion (see 
column 6, lines 11-14). The fact that Vaidya teaches generating attack signatures and 
generated signature profile includes a set of instructions (inspector instance/executable 
code) implies that the instructions were generated with signatures. 

Applicant further argues that Perelson does not teach the claim limitation of 
generating, for each of the one or more signature definitions, an inspector instance based 
on the data file and executing, for each of the one or more signature definitions, the 
generated inspector instance to detect network traffic matching the signature definition. 
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However this is incorrect. Perelson discloses creating a protection file by generating a 
plurality of test string (inspector instance/executable code) (see paragraph 8, lines 1-53). 

Applicant contends, PTO did not respond to Applicant's pervious argument that 
Perelson column 6, lines 6-24 does not disclose the claim limitations. However this is not 
correct, in the pervious Office action of 03/20/2006, in order to to provide more clarity for 
the claim limitation of inspector instance applicant was referred to column 8, lines 12-53 
(see office action page 2). 

Applicant argument that in perelson "Given that the test string 1 12 is randomly 
generated, such a test string could not disclose an inspector instance Examiner 
respectfully disagrees . Perelson clearly teaches the test string 112 does not have to be 
random (see column 9, lines 64-66). 

In regard to applicant's argument that Chen and Kouzentsov fail to disclose 
"communicating to the sensor a desire to create a modified signature from a signature to 
be modified and receiving from the sensor data indicative of parameter and associated 
value for the signature to be modified", Chen teaches in order to modify an object a client 
executes an object and produces a result that is transmitted to a server. The result is 
transmitted from the client to the server so that the server can produce additional object 
based on transmitted result from the client(see column 3, lines 23-27). One ordinary skill 
in the art could interpret the transmitted result to the server is a desire to create a 
modified signature from a signature to be modified. Chen furthermore teaches the 
additional object is transmitted from the server to the client for another round of execution 
and producing a result in the client side (see column 7, lines 48-51), again one ordinary 
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skill in the art could interoperate the additional object received from the server as being 
similar to the applicant limitation of receiving from the sensor data indicative of 
parameters and associated value for the signature to be modified. In regard to the same 
argument Kouzentsov teaches an anti- intrusion monitor server transmits among the 
other information two items of data to the central anti-intrusion server , Kouznetsov 
specifically points out the transmitted two items are for achievement of updating 
(modifying ) the attack pattern information (see column 7, lines 53-58), in Kouznetsov's 
teaching, anti-intrusion monitor server transmitting information consisting of two items to 
the central server in order to update the attack pattern is functionally equivalent to 
applicant's claim limitation of communicating to the sensor a desire to create modified 
signature from signature to be modified. Kouzentsov furthermore teaches receiving from 
the sensor data indicative of parameters and associated values for signature to be 
modified (see column 7, lines 62-column 8, line 7). 

Applicant further argues, in regard to claim 35, Bardsley teaches a structure of a 
signature file and " From this general description of a signature file, Applicant are 
unaware as to how the "an engine parameter and associated name for the engine 
parameter and user-defined signatures with parameter value pairs associated with the 
user-defined signatures and an engine parameter and an associated name for the engine 
parameter for defining signature to be detected by the at least one engine could be 
disclosed". By broadly interpreting claim 35 only stores some data such as default 
signatures and engine parameters. Claim 35 does not result any function, applicant have 
not shown besides storing some data exactly what else is being accomplish by the claim 
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limitations. In the last line claim 35 recites: " ..for defining signature to be detected by the 
at least one engine", however to be detected does not provide any function, in another 
word to be detected is different than "is detected" and clearly does not mean "is detected", 
therefor examiner does not see any function and result accomplished by at least one 
engine. Based on the above interpretation Bardsley clearly teaches a intrusion detection 
sensor which among the other components includes a signature file for storing signatures 
and other data such as signature identifiers, signature events, signature event counter, 
signature threshold quantity and signature threshold interval (see Bardsley, paragraph 
[0024]-[0030]). Bardsley's teaching is functionally equivalent and reads on the claim 
limitation since claim limitation does not include any achieved result besides storing data 
and values. 

In response to applicant's argument, that there is no suggestion to combine the 
references, the examiner recognizes that obviousness can only be established by 
combining or modifying the teachings of the prior art to produce the claimed invention 
where there is some teaching, suggestion, or motivation to do so found either in the 
references themselves or in the knowledge generally available to one of ordinary skill in 
the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988)and In re 
Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992). In regard t claim 1 and 28, it 
would have been obvious to person having ordinary skill in the art at the time the 
invention was made to combing Vaidya and Perelson. This would have been obvious 
because person having ordinary skill in the art at the time the invention was made would 
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have been motivated to do so in order to prevent the spread of viruses and detect the 
newly introduced viruses and furthermore to match the plurality of contiguous digital 
signal of the test file to the plurality of contiguous digital signals of the original file 
(column 2, lines 8-12). 

In regard to claim 1 1, it would have been obvious to person having ordinary skill 
in the art at the time the invention was made to combing Vaidya and Perelson. This 
would have been obvious because person having ordinary skill in the art at the time the 
invention was made would have been motivated to do so in order to detect changes to 
the original computer file, where the original file has an associated protection file 
(column 2, lines 17-20). 

In regard to claim 19, it would have been obvious to person having ordinary skill 
in the art at the time the invention was made to combing Chen and Kouznetsov . This 
would have been obvious because person having ordinary skill in the art at the time the 
invention was made would have been motivated to do so in order to update recognize 
and detect new attacks and furthermore to update attack signature files either 
automatically or in accordance with user-set monitoring profiles (column 5, lines 19-21). 

In regard to claim 35, it would have been obvious to person having ordinary skill 
in the art at the time the invention was made to combing Vaidya and Bardsley.This 
would have been obvious because person having ordinary skill in the art at the time the 
invention was made would have been motivated to do so in order to protect the network 
from any attacks and furthermore to decrease the likelihood that the intrusion detection 
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server will fail or that troublesome queues and resulting delay will build (paragraph 
[0011]). 

In view of above discussion examiner maintains the rejection as follows: 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) patent may not be obtained though the invention is not identically disclose or described as set forth 
in section 102 of this title, if the differences between the subject matter sought to be patented and the 
prior art are such that the subject matter as a whole would have been obvious at the time the invention 
was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 1-6, 8, 10, 11, 13-18, 28 and 31-34 are rejected under 35 U.S.C. 103(a) 
as being unpatentable overVimal Vaidya. (US Patent NO 6,279,113) in view of Alan S. 
Perelson et al. (US patent NO Re 36,417). 

Regarding Claim 1 

Vaidya teaches a method for intrusion detection of network traffic 
comprising: storing a data file comprising data defining one or more signature 
definition and one or more parameters and associated values (column8, lines 8- 
36); and executing signature definitions to detect network traffic matching the 
signature definition (column 6, lines 53-57). Vaidya does not explicitly teach 
generating, for each of the one or more signature definitions, an inspector 
instance based on the data file; and executing, for each of the one or more 
signature definitions, the generated inspector instance to detect network traffic 
matching the signature definition. However, in an analogous art Perelson teaches 
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generating an inspector instance and executing the generated inspector instance 
to detect network traffic matching the signature definition (column 8, lines 12-53). 
Therefore it would have been obvious to person having ordinary skill in the art at 
the time the invention was made to modify the method disclosed by Vaidya to 
include generating, for each of the one or more signature definitions, an inspector 
instance based on the data file; and executing, for each of the one or more 
signature definitions, the generated inspector instance to detect network traffic 
matching the signature definition. This would have been obvious because person 
having ordinary skill in the art at the time the invention was made would have 
been motivated to do so in order to prevent the spread of viruses and detect the 
newly introduced viruses and furthermore to match the plurality of contiguous 
digital signal of the test file to the plurality of contiguous digital signals of the 
original file (column 2, lines 8-12). 



Regarding Claim 11 

Vaidya teaches a method for use in intrusion detection comprising: storing 
a default signature file defining one or more default signatures (column 6, lines 
53-56); storing a customized signature file defining one or more custom 
signatures (paragraph 3, lines 21-23); generating, for each of the one or more 
signatures defined in the default signature file, executable code operable to 
detect intrusions associated with the default signature (column 6, lines 11-14); 
executable code operable to detect intrusions associated with the custom 
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signature (column 6, lines 11-14 and column 3, lines 21-23). Vaidya does not 
explicitly teach Automatically generating, executable code operable to detect 
intrusions associated with the default signature and generating, executable 
code operable to detect intrusions associated with the custom signature. 
However, in an analogous art, Perelson teaches a method wherein the 
executable codes are automatically generated (column 3, lines 5-24). Therefore it 
would have been obvious to person having ordinary skill in the art at the time the 
invention was made to modify the method disclosed by Vaidya to include 
Automatically generating, executable codes for default and customize signature. 
This would have been obvious because person having ordinary skill in the art at 
the time the invention was made would have been motivated to do so in order to 
detect changes to the original computer file, where the original file has an 
associated protection file (column 2, lines 17-20). 



Regarding Claim 28 

Vaidya teaches a system for intrusion detection comprising: a sensor for 
detecting possible network intrusions, one or more engine groups each 
associated with one or more network detection engines (column 6, lines 57-67 
and column 7, lines 1-1 1) a configuration handler comprising: a default signature 
file storing one or more signature definitions defining one or more respective 
default signatures for use by the sensor; and a user signature file storing a 
plurality of user-defined signatures for use by the sensor(column 6, lines 53-57); 
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executable code based on either one of the stored default signatures or one of 
the stored user-defined signatures, the executable code operable to detect a 
network intrusion defined by the associated user-defined signature or the 
associated default signature (column 6, lines 11-13). Vaidya does not explicitly 
teach generating an executable code. However in an analogous art Perelson 
teaches generating an executable code to detect a network intrusion (column 6, 
lines 6-24). Therefor it would have been obvious to person having ordinary skill in 
the art at the time the invention was made to modify the method disclosed by 
Vaidya to generate an executable code based on either one of the stored default 
signatures or one of the stored user-defined signatures, the executable code 
operable to detect a network intrusion defined by the associated user-defined 
signature or the associated default signature. This modification would have been 
obvious because person having ordinary skill in the art at the time the invention 
was made would have been motivated to do so in order to prevent the spread of 
viruses and detect the newly introduced viruses and furthermore to match the 
plurality of contiguous digital signal of the test file to the plurality of contiguous 
digital signals of the original file (column 2, lines 8-12). 

Regarding Claims 2, 3 and 4 

Vaidya and Perelson teach all limitation of the claim as applied to claim 1 
above. Vaidya furthermore teaches a method comprising: storing user data file 
comprising signature definitions, each modified signature definition comprising 
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signature identifier associating the modified signature definition with a 
corresponding signature definition stored in the data file and for each signature 
definition, data comprising: a signature identification number parameter and 
associated value; a signature name and associated string; one or more 
parameters and respective values defining characteristics of the signature 
(column 9, lines 48-52) and each signature definition is stored in a separate line 
of data file (column 6, lines 53-57). Perelson furthermore teaches generating, 
revised inspector instance based the modified signature definition and 
corresponding generated inspector instance (column 6, lines 6-24). 



Regarding Claim 5 

Vaidya and Perelson teach all limitation of the claim as applied to claim 2 
above. Vaidya furthermore teaches a method, wherein the one or more modified 
signature definitions comprises modified values for associated modified 
parameters and no values indicative of the parameters in the corresponding 
signature definition that are not modified, (column 3, lines 1-11)). 

Regarding Claim 6 

Vaidya and Perelson teach all limitation of the claim as applied to claim 1 
above. Vaidya furthermore teaches a method, wherein the data file comprises a 
file received from a sensor provider (column 6, lines 44-56). 
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Regarding Claim 8 

Vaidya and Perelson teach all limitation of the claim as applied to claim 1 
above. Vaidya furthermore teaches a method of receiving the data file at the 
sensor configuration handler (column 6, lines 37-40). 

Regarding Claim 10 

Vaidya and Perelson teach all limitation of the claim as applied to claim 1 
above. Vaidya furthermore teaches a method comprising: storing a user data file 
comprising one or more user-defined signature definitions, each user-defined 
signature definition comprising a signature identifier not associated with any of 
the signature definitions in the data file (column 9, lines 48-52). Perelson 
furthermore teaches generating, for each of the user-defined signature 
definitions, an inspector instance based on the user defined signature (column 6, 
. lines 6-24). 

Regarding Claim 13 

Vaidya and Perelson teach all limitation of the claim as applied to claim 1 1 
above. Perelson furthermore teaches a method automatically generating, for 
each custom signature, executable code operable to detect intrusions associated 
with the custom signature based on the generated executable code of an 
associated default signature (column 6, lines 6-24). 
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Regarding Claim 14 

Vaidya and Perelson teach all limitation of the claim as applied to claim 11 
above. Zies furthermore teaches a method, wherein the one or more custom 
signatures comprises modifications of the default signatures (column 3, lines 61- 
67). 

Regarding Claim 15 

Vaidya and Perelson teach all limitation of the claim as applied to claim 1 1 
above. Zies furthermore teaches a method, wherein generating, for each of the 
one or more default signatures, comprises generating executable code 
associated with the default signature based on an inspector shell (column 4, lines 
51-56). 

Regarding Claim 16 

Vaidya and Perelson teach all limitation of the claim as applied to claim 15 
above. Zies furthermore teaches a method, wherein the executable code 
associated with the default signature is operable to compare a plurality of 
parameter values to a plurality of parameter values defined by the default 
signature (paragraph 5, lines 16-23). 



Regarding Claim 17 

Vaidya and Perelson teach all limitation of the claim as applied to claim 1 1 
above. Vaidya furthermore teaches a method, wherein the default signature file 
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comprises, for each default signature; a signature identification number 
parameter and associated value; a signature name and associated string; and 
one or more parameters and respective values defining characteristics of the 
default signature (column 9, lines 48-52). 



Regarding Claim 18 

Vaidya and Perelson teach all limitation of the claim as applied to claim 11 
above. Vaidya furthermore teaches a method, wherein the custom signature file 
comprises, for each signature; a signature identification number parameter and 
associated value; a signature name and associated string; and one or more 
parameters and respective values defining characteristics of the default signature 
(column 9, lines 48-52 and column 3, lines 21-23). 

Regarding Claim 31 

Vaidya and Perelson teach all limitation of the claim as applied to claim 28 
above. Vaidya furthermore teaches a system, wherein handler further comprises 
a user interface operable to: receive an identification of a signature to be 
modified; the configuration provides a list of parameters and associated values 
for the signature to be modified (column 9, lines 48-52). Perelson furthermore 
teaches receiving revised values for one or more of the parameters; and write a 
revised signature to the user-defined data file (column 6, lines 6-24). 
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Regarding Claim 32 and 33 

Vaidya and Perelson teach all limitation of the claim as applied to claim 28 
above. Vaidya furthermore teaches a system, wherein the configuration handler 
further comprises a user interface operable to: provide a list of possible 
parameters for a particular engine; receive a plurality of values for one or more of 
the parameters to define a user-defined signature associated with the engine; 
and parameters; write a user-defined signature to the user signature file and a 
reader and dispatcher to read data from default and user signature file and 
transmit to one or more engine (column 7, lines 1 1-30). 

Regarding Claim 34 

Vaidya and Perelson teach all limitation of the claim as applied to 
claim 28 above. Vaidya furthermore teaches a system further comprising a 
management console associated with the sensor and operable to communicate 
configuration data to the configuration handler and receive configuration help 
information from the configuration handler (column 7, lines 25-30). 

5. Claims 7 and 9 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Vimal Vaidya. (US Patent NO 6,279,1 13) in view of Alan S. Perelson et al. (US patent 
NO Re 36,417), further in view of Smaha et al. (US patent NO 5,557,742). 
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Regarding Claim 7 and 9 

Vaidya and Perelson teach all limitation of the claim as applied to claim 1 
and above. Vaidya and Perelson do not explicitly teach the data file comprises a 
file generated by a user and receiving configuration data file from a user and 
storing the received configuration data file in a user data file. However in an 
analogous art Smaha teaches the data file comprises a file generated by a user 
and storing the received configuration data file in a user data file (paragraph 3, 
lines 54-64 and fig 4). Therefore it would have been obvious to person having 
ordinary skill in the art at the time the invention was made to modify the method 
disclosed by Vaidya and Perelson to include generating the data file by a user 
and storing the received configuration data file in a user data file. This would 
have been obvious because person having ordinary skill in the art at the time the 
invention was made would have been motivated to do so in order to enable the 
user to control the input mechanism and load a set of selected misuses 
(paragraph 9, lines 1-5) 

6. Claims 12 and 29 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Vimal Vaidya. (US Patent NO 6,279,113), in view of Alan S. Perelson (US Patent 
NO Re.36, 417), further in view of Kavin J. Ziese (US Patent NO 6,484,315). 
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Regarding Claim 12 and 29 

Vaidya and Perelson teach all limitation of the claim as applied to claim 1 1 
and 28 above. Vaidya and Perelson do not explicitly teach storing a customized 
signature file comprises storing modification of one or more of the default 
signature and configuration handler comprising stored modification to the default 
signatures. However, in an analogous art Ziese teaches storing a customized 
signature file comprises storing modification of one or more of the default 
signature and configuration handler comprising stored modification to the default 
signatures (column 4, lines 51-67 and column 5, lines 1-2). Therefore it would 
have been obvious to person having ordinary skill in the art at the time the 
invention was made to modify the method disclosed by Vaidya and Perelson to 
include storing modification of one or more of the default signature and 
configuration handler comprising stored modification to the default signatures. 
This would have been obvious because person having ordinary skill in the art at 
the time the invention was made would have been motivated to do so in order to 
dynamically distribute intrusion detection update. 

7. Claim 19-27 are rejected under 35 U.S.C. 103(a) as being unpatentable over Eva 
Chen et al. (US Patent NO. 5, 960,170) in view of Kouznetsov (US Patent NO. 
6,725,377). 
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Regarding Claim 19 

Chen teaches a method for use in intrusion detection comprising: 
providing a sensor having a plurality of defined signatures (column 3, lines 57- 
59), and providing to the sensor a modified value for at least one of the 
parameters to create a modified signature (column 7, lines 34-40). Chen does 
not explicitly teach communicating to sensor a desire to create a modified 
signature and receiving from the sensor data indicative of parameters and 
associated values for the signature to be modified. However in an analogous art 
Kouznetsov teaches communicating to sensor a desire to create a modified 
signature and receiving from the sensor data indicative of parameters and 
associated values for the signature to be modified (paragraph 7, lines 39-67). 
Therefore it woulcl have been obvious to person having ordinary skill in the art at 
the time the invention was made to modify the method disclosed by Chen to 
include communicating to sensor a desire to create a modified signature and 
receiving from the sensor data indicative of parameters and associated values for 
the signature to be modified. This would have been obvious because person 
having ordinary skill in the art at the time the invention was made would have 
been motivated to do so in order to update recognize and detect new attacks and 
furthermore to update attack signature files either automatically or in accordance 
with user-set monitoring profiles (column 5, lines 19-21). 
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Regarding claim 20 

Chen and Kouznetsov teach all limitation of the claim as applied to claim 

19 above. Chen furthermore teaches a method comprising storing data 
associated with the modified signature in the sensor at a location separate from 
the associated unmodified signature (column 17, lines 24-25). 

Regarding claim 21 

Chen and Kouznetsov teach all limitation of the claim as applied to claim 

20 above. Chen furthermore teaches storing in the sensor the name, signature 
identification number, and one or more parameters and associated values for the 
modified signature (column 13, linesl- 23 and fig 4c). 

Regarding claim 22 

Chen and Kouznetsov teach all limitation of the claim as applied to claim 

19 above. Chen furthermore teaches communicating to the sensor the name of 
an engine associated with the signature (column 13, lines 1-23) 

Regarding claim 23 

Chen and Kouznetsov teach all limitation of the claim as applied to claim 

20 above. Chen furthermore teaches storing plurality of parameter names and 
associated value (column 13, linesl - 23 and fig 4c). 
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Regarding claim 24 

Chen and Kouznetsov teach all limitation of the claim as applied to claim 
19 above. Chen furthermore teaches a method further comprising selecting a 
signature to be modified from the plurality of defined signatures (column 3, lines 
28-35). 

Regarding claim 25 

Chen and Kouznetsov teach all limitation of the claim as applied to claim 
22 above. Chen furthermore teaches a method comprising receiving a list 
indicative of all defined signatures associated with the engine (column 3, lines 
57-60). 

Regarding Claim 26 and 27 

Chen and Kouznetsov teach all limitation of the claim as applied to claim 
19 above. Chen furthermore teaches a method, wherein providing a sensor 
having a plurality of defined signatures comprises providing a sensor having a 
default data file defining the defined signatures and updating the default file 
(column 7, lines 62-67). 

8. Claims 30 is rejected under 35 U.S.C. 103(a) as being unpatentable over Vimal 
Vaidya. (US Patent NO 6,279,1 13), in view of Alan S. Perelson (US Patent NO Re.36, 
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417), in view of Kavin J. Ziese (US Patent NO 6,484,315), further in view of Smaha et 
al. (US patent NO 5,557,742). 

Regarding Claim 30 

Vaidya, Perelson and Ziese teach all limitation of the claim as applied to 
29 above. Vaidya, Perelson and Ziese do not explicitly teach the stored 
modifications are stored in the user signature file. However, in an analogous art, 
Smaha teaches a system wherein the stored modifications are stored in the user 
signature file (paragraph 3, lines 54-64 and fig 4). Therefore it would have been 
obvious to person having ordinary skill in the art at the time the invention was 
made to modify the method disclosed by Vaidya, Perelson and Ziese to store the 
modifications in the user signature file. This would have been obvious because 
person having ordinary skill in the art at the time the invention was made would 
have been motivated to do so in order to enable the user to control the input 
mechanism and load a set of selected misuses (column 9, lines 1-5). 

9. Claim 35-37 and 39 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Vimal Vaidya. (US Patent NO 6,279,1 13) in view of Bardsley (US Publication NO 
2003/0061514). 
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Regarding Claim 35 

Vaidya teaches a system for intrusion detection, comprising: a sensor for 
detecting possible network intrusions, the sensor comprising: at least one engine 
(column 7, lines 1-24); and a means for storing default signatures with 
parameter-value pairs associated with the default signatures (column 6, lines 53- 
57) and user-defined signatures with parameter-value pairs associated with the 
user-defined signatures for defining signature to be detected by the at least one 
engine (column 3, lines 21-22). Vaidya does not explicitly teach an engine 
parameter and an associated name for the engine parameter. However, in an 
analogous art, Bardsley teaches an engine parameter and an associated name 
for the engine parameter (paragraph [0024]-[0030]). Therefor it would have been 
obvious to person having ordinary skill in the art at the time the invention was 
made to modify the system disclosed by Vaidya to include an engine parameter 
and an associated name for the engine parameter. This modification would have 
been obvious because person having ordinary skill in the art at the time the 
invention was made would have been motivated to do so in order to protect the 
network from any attacks and furthermore to decrease the likelihood that the 
intrusion detection server will fail or that troublesome queues and resulting delay 
will build (paragraph [0011]). 
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Regarding Claim 36 

Vaidya teaches a method for use in intrusion detection of network traffic 
comprising: storing in a memory a signature definition associated with a 
signature to be detected (column 6, lines 53-56), the signature definitions 
comprising: an identifier for the signature; and one or more parameter-value pairs 
associated with the signature (column 9, lines 47-49), each parameter-value pair 
comprising a parameter name and associated parameter value (column 9, lines 
49-60); and determining, based on the signature definition, the values that 
associated parameters of network traffic must take to meet the signature (column 
10, lines 45-67 and column 11, lines 1-15). Vaidya does not explicitly teach an 
engine parameter and an associated name for the engine parameter. However, 
in an analogous art, Bardsley teaches an engine parameter and an associated 
name for the engine parameter (paragraph [0024]-[0030]). Therefor it would have 
been obvious to person having ordinary skill in the art at the time the invention 
was made to modify the method disclosed by Vaidya to include an engine 
parameter and an associated name for the engine parameter. . This modification 
would have been obvious because person having ordinary skill in the art at the 
time the invention was made would have been motivated to do so in order to 
protect the network from any attacks and furthermore to decrease the likelihood 
that the intrusion detection server will fail or that troublesome queues and 
resulting delay will build (paragraph [0011]). 
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Regarding Claim 37 and 39 

Vaidya and Bardsley teach all limitation of the claim as applied to claim 36 
above. Vaidya furthermore teaches a method, further comprising storing a 
plurality of signature definitions in a data file, each signature definition on a 
different line of the data file (column 6, lines 53-57) and each signature definition 
comprises an identification parameter preceding the signature (column 9 lines 
47-61). 



References Cited, Not Used 

10. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure: 

1. U.S. Patent No. 6,928,549 

This reference relates to a method of operating an intrusion detection 
system that protects a computer system from intrusions by vandals such as 
hackers. 

2. U.S. Patent No. 6,725,377 

This reference relates to a computer program product and method that 
modifies anti-intrusion software on a computer network. 
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Conclusion 

1 1 . THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

AliAbyaneh fl.A 
Patent Examiner 
Art Unit 2137 
08-31-06 
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